samba-member/entrypoint.sh

#!/bin/bash -e

# Loosely based on https://github.com/fjudith/docker-samba-join-ad/tree/master/sssd

if [ -z "$NETBIOS_NAME" ]; then
  NETBIOS_NAME=$(hostname -s | tr [a-z] [A-Z])
else
  NETBIOS_NAME=$(echo $NETBIOS_NAME | tr [a-z] [A-Z])
fi
REALM=$(echo "$REALM" | tr [a-z] [A-Z])
DOMAIN=$(echo "$REALM" | tr [A-Z] [a-z])

if [ ! -f /etc/timezone ] && [ ! -z "$TZ" ]; then
  echo 'Set timezone'
	rm /etc/localtime
  cp /usr/share/zoneinfo/$TZ /etc/localtime
  echo $TZ >/etc/timezone
fi

if [ ! -f /etc/samba/krb5.keytab ]; then
  if [ ! -f /run/secrets/$ADMIN_PASSWORD_SECRET ]; then
    echo 'Cannot read secret $ADMIN_PASSWORD_SECRET in /run/secrets'
    exit 1
  fi
  ADMIN_PASSWORD=$(cat /run/secrets/$ADMIN_PASSWORD_SECRET)

  rm -f /etc/samba/smb.conf /etc/krb5.conf

  # realm join is broken as it requires --privileged but difficult to add for swarm
  # so it can execute /usr/sbin/adcli. Therefore we execute it directly and create
  # the /etc/krb5.conf and /etc/sssd/sssd.conf manually
  # echo $ADMIN_PASSWORD|realm join -v $REALM --user=$ADMIN_ACCOUNT
  echo $ADMIN_PASSWORD|/usr/sbin/adcli join --verbose --domain $DOMAIN --domain-realm $REALM --login-type user --login-user $ADMIN_ACCOUNT --stdin-password
  mv /etc/krb5.keytab /etc/samba/
fi

if [ ! -L /etc/krb5.keytab ]; then    
  ln -s /etc/samba/krb5.keytab /etc/krb5.keytab
fi

echo -e "[libdefaults]\ndefault_realm = $REALM\ndns_lookup_realm = false\ndns_lookup_kdc = true" > /etc/krb5.conf

mkdir -p -m 700 /etc/samba/conf.d
for file in /etc/samba/smb.conf; do
  sed -e "s:{{ ALLOW_DNS_UPDATES }}:$ALLOW_DNS_UPDATES:" \
      -e "s:{{ BIND_INTERFACES_ONLY }}:$BIND_INTERFACES_ONLY:" \
      -e "s+{{ INTERFACES }}+$INTERFACES+" \
      -e "s:{{ LOG_LEVEL }}:$LOG_LEVEL:" \
      -e "s:{{ NETBIOS_NAME }}:$NETBIOS_NAME:" \
      -e "s:{{ REALM }}:$REALM:" \
      -e "s:{{ SERVER_STRING }}:$SERVER_STRING:" \
      -e "s:{{ WINBIND_USE_DEFAULT_DOMAIN }}:$WINBIND_USE_DEFAULT_DOMAIN:" \
      -e "s:{{ WORKGROUP }}:$WORKGROUP:" \
      /root/$(basename $file).j2 > $file
done
for file in $(ls -A /etc/samba/conf.d/*.conf); do
  echo "include = $file" >> /etc/samba/smb.conf
done

#echo "Activating home directory auto-creation"
#echo "session required pam_mkhomedir.so skel=/etc/skel/ umask=0022" | tee -a /etc/pam.d/common-session

if [ ! -f /var/lib/samba/private/secrets.tdb ]; then
  if [ ! -f /run/secrets/$ADMIN_PASSWORD_SECRET ]; then
    echo 'Cannot read secret $ADMIN_PASSWORD_SECRET in /run/secrets'
    exit 1
  fi
  ADMIN_PASSWORD=$(cat /run/secrets/$ADMIN_PASSWORD_SECRET)

  echo "Joining domain using net ads"
  mkdir -p /var/lib/samba/private
  mkdir -p /var/lib/samba/printerdrivers

  # Join
  net ads join --no-dns-updates -U"$ADMIN_ACCOUNT"%"$ADMIN_PASSWORD"

  ((/usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf -j /tmp/sp.pid)&)
  sleep 10

  # Allow adding printer drivers for Administrator
  # Note: These commands require running winbind that resolves the group name and dcerpcd that accesses printers list
  rpcclient -P -c enumprinters 127.0.0.1
  chgrp -R "Domain Admins" /var/lib/samba/printerdrivers
  chmod -R 775 /var/lib/samba/printerdrivers
  setfacl -R -m "d:g:Domain Admins:rwx" /var/lib/samba/printerdrivers

  # HACK: In Samba 4.16 and above shares are not visible otherwise
  smbclient -L 127.0.0.1 -P
  chmod 666 /var/lib/samba/share_info.tdb

  kill `cat /tmp/sp.pid`
fi

# CUPS persistence and permissions
mkdir -p /etc/cups-persist/ppd
touch /etc/cups-persist/printers.conf
sed -i -E "s:^(lpadmin\:x\:[0-9]+\:)(.*)$:\1$ADMIN_ACCOUNT\,\2:" /etc/group
sed -i -E "s:^(lpadmin\:x\:[0-9]+\:)(.*)$:\1$ADMIN_ACCOUNT\,\2:" /etc/group

if [ -z "$CUPS_TRUSTED_PROXY" ]; then
	sed -E -i "s:(Order allow\,deny):\1\n  Allow all:" /etc/cups/cupsd.conf
else
	sed -E -i "s:(Order allow\,deny):\1\n  Allow $CUPS_TRUSTED_PROXY:" /etc/cups/cupsd.conf
	echo -e "\n" >> /etc/cups/cupsd.conf
	echo "DefaultEncryption Never" >> /etc/cups/cupsd.conf
fi

echo 'Restarting Samba using supervisord'
exec "$@"